Vulnerabilities > CVE-2022-1407 - Unspecified vulnerability in Vikwp Hotel Booking Engine & PMS

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

vikwp

NVD

Published: 2022-05-16

Updated: 2024-11-21

Summary

The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not have CSRF check in place when adding a tracking campaign, and does not escape the campaign fields when outputting them In attributes. As a result, attackers could make a logged in admin add tracking campaign with XSS payloads in them via a CSRF attack

Vulnerable Configurations

Part	Description	Count
Application	Vikwp Vikwp Hotel Booking Engine & PMS *	1

References

https://wpscan.com/vulnerability/19a9e266-daf6-4cc5-a300-2b5436b6d07d
https://wpscan.com/vulnerability/19a9e266-daf6-4cc5-a300-2b5436b6d07d